>>"I hope the actions of hijacking Justine's account help draw attention to how big a deal this is," the hacker wrote on the social network. "I suspect a lot of people would not have taken it seriously otherwise. Be thankful that the person who got access to the server information was kind enough to let you all know (and at least try and be funny with it) instead of simply sitting on the information."
It's not clear to me that the hacker was malicious.
That said, governments are _not_ hacker-friendly like Google, Facebook, Twitter, etc. Never hack the government thinking you're doing them a favor, they will never see it that way. You will be arrested.
"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period."
That seems to be implying that another government agency (RCMP? CSEC?) monitors at least the CRA network and does some kind of deep packet inspection and/or packet logging. So are they logging every packet that gets sent to the CRA network? Or did they know about it beforehand and could detect it in real time with an IDS?
Also mentioned in that link is Shared Services Canada, which appears to be a division that's tasked with bringing the various departments' IT infrastructures under a single umbrella. From their website (http://www.ssc-spc.gc.ca/index-eng.html):
"Shared Services Canada was created on August 4, 2011 to fundamentally transform how the Government manages its information technology (IT) infrastructure. Its mandate for the provision of enterprise-wide IT-infrastructure services represents better value for money and a more reliable IT infrastructure to support modern government operations."
Agreed, it's quite impressive they were able to detect this attack and find its source so quickly after a brand new vulnerability was exposed.
If a central agency is managing security for various important government systems, they may have full packet capture logging for up to the past 48 hours or longer.
An analyst may have downloaded the entire packet capture and used a tool like Wireshark to drill down into all heartbeat requests, and then use filters to find suspicious and malformed requests. One example of how they could do this is with the advice given here: http://security.stackexchange.com/a/55533
Depends on the timeline. IDS rules for detecting attacks aren't all that complicated. But getting those rules into place before attackers went crazy is a whole other thing. So either their network security people were on the ball or they were possibly recording traffic and ran a playback of the data against a detection ruleset.
Also, the US may be similar to Canada in this respect. I believe the Department of Homeland Security[0] handles a lot of the network security for much of the federal government.
Interesting the difference between this article and other articles reporting on more recent hacks. Those articles always point out how much jail time the hacker is facing.
I suspect the Canadian authorities aren't as ruthless with their computer crime laws as the prosecutors are here, but you never know. Any idea what the kid is facing in terms of punishment??
“Unauthorized Use of Computer” is maximum 10 years in prison in Canada, which is pretty much equivalent to American law. The additional mischief charge will probably get dropped.
> is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.
No part of my comment accused him of being guilty. His name is on every news site around the world.
I found the fact he is a CS student relevant to the news article. As is the fact he has a git repo where he coded a Java crypto library, when he's being accused of exploiting a crypto library.
>Their will be plenty of time to rummage through his life, internet and not, no need to rush into it.
If find that those type of comments, event if well intended, in the end they are not helpful. First because dmix wasn't "rummaging through his life" but pointing out public facts related to his abilities has a coder.
Second because I wonder when will be the time to discuss this? Once nobody talk about it anymore and it becomes completely irrelevant and forgotten? Now is the exact time to discuss this.
Of course he's from my town, and of course he's taking computer science. This was my first instinct when I heard of the case, that it was some kid thinking he was safe behind his computer screen. I only say this because I seen it A LOT in this town while going to school.
Google is one of the company which is affected very badly by HeartBleed bug, Almost all the services like YouTube, Gmail by Google are affected. Amazon, Yahoo! are also in the same list. We just need give attention to Apple & Microsoft who are not affected by Heartbleed. Check out detail list which shows list of company who are affected or not by this issue.
http://www.dazeinfo.com/2014/04/17/google-inc-goog-worst-aff...
While he obviously behaved rather irresponsibly, talking openly about a hack he did, the word steal is probably a bit strong.
Odds are the insurance numbers are just some of the things that passed through while he performed the hack, or the first thing he saw when he got in. Not something he intentionally took for his own gain.
Intent should count, but if someone broke into a company's building at night, picked the lock to a manager's desk, and stole all the papers he could see and ran out...obviously a theft has occurred.
Even if he was not looking for anything in particular, or did not plan on using any of the information found in the papers, he's committed a felony.
In this case I don't think it's clear whether or not he went ahead to parse out the insurance numbers and save those separately, and if so if he planned to do anything further with those (like sell them).
Yeah uh, your analogy is terribly wrong and just serves to perpetuate life-destroying punishments for innocuous actions. It's more like a street-level window was left open, and this guy stuck his head in and saw a bunch of papers strewn out on a desk, all while wearing a commonly-worn head-mounted camera. Any seriousness of the situation is related to his ultimate intent, not the hacking itself.
I like your analogy in that it portrays the fact that nothing was physically stolen, much similar to arguments used in piracy issues.
However, my understanding of heartbleed is it can take many thousands of requests before interesting / meaningful data is returned. I doubt 900 SINs were returned in a single response (I could be wrong). So I suppose this is analogous to repeatedly sticking your head in & out of the wide open window at street-level.
So what I am curious about is where the line is drawn. Is one malicious packet considered enough for an arrest? 1 million?
Well the standard way of answering that question is that it has nothing to do with the number of packets, but with the ultimate intent and actual damages caused. Unfortunately the legal system considers basically any hacking to be witchcraft and is horribly miscalibrated as to what should be considered serious or not.
I think it depends on exactly what he did here. I don't know the details of the case.
If he simply ran the Heartbleed script for an hour or 2 and did literally nothing else after it finished running, then yes, your analogy is the correct one and mine is wrong. In that case he should probably only be liable for the money spent by the agency in investigating the attack.
If he scraped out the SSL private key from the results, that's clearly worse.
If he additionally scraped out everything that fit the format of an insurance number, then it's quite a bit worse.
If he planned on publicizing or personally using any of these, then it's far worse.
I would also argue that it's less like a window being left open, but rather a door located around the back of the building where no one goes accidentally being left unlocked.
What he achieved should only be relevant in how it demonstrates intent. Deducing the SSL key could be done as a proof-of-concept, and should only matter if it can be used to show that he was planning on impersonating the site in furtherance of some other crime.
I do concede that the proper analogy isn't something so plainly visible to all as an open window, but it does have to incorporate an external motivating factor to try the door (perhaps a rumor floating around town that they tend to leave it unlocked and oh boy you wouldn't believe what's on the other side..)
Wow, you seem to be condoning theft here. The CRA website was hacked, using a hacking technique just discovered. It is not like "leaving a street-level window open". It's more like, a new way to pick a lock was discovered that no one knew existed, and he went around picking locks to see what he could find.
He knew he was hacking the CRA when he did it. He can't claim to have done it accidentally. The CRA did everything reasonable to secure their servers.
That said, he's a smart teenager playing with technology and did something he shouldn't have. As long as no one was harmed, and his intentions were just curiosity, I think he should get off pretty light. Hate to see his life ruined.
An open window is easily spotted, so it probably is more appropriate to say an unlocked window. I didn't deny that he hacked the CRA, or even that those actions are wrong in a sense (on a different day/topic I might make that argument..), but am just pointing out the draconian binary punishment for computer crimes that you're also referencing when you say "Hate to see his life ruined".
Let's say on a lark you go walking down the street trying doorknobs, open the first unlocked one, and sit down on the couch and watch TV until the owner gets home. You have trespassed, and if the owner presses charges you will most likely be punished. However, that punishment will most likely be commensurate with the severity of the crime, not life-altering years in prison.
The article is a bit confusing, the hacker who talked about the flaw on a social network seems to be a different one from the one arrested for stealing the credit cards.
Probably relying on the claim by some that it was completely undetectable unless you have full packet capture which for the CRA is pretty much a guarantee.
It's not clear to me that the hacker was malicious.
That said, governments are _not_ hacker-friendly like Google, Facebook, Twitter, etc. Never hack the government thinking you're doing them a favor, they will never see it that way. You will be arrested.